Once upon a time…
I touched on this story in my article, Firefox Configuration Guide for Privacy Freaks and Performance Buffs, but i wanted to give it a dedicated page and expand on it because i keep coming across bits of information which seem to verify something i was told long ago.
So i once sold a PC to a guy who said he had worked for the government either directly or as a contractor, i don’t recall which and he didn’t state which department he worked for. He said he had a security clearance and, as i recall, it was a crypto clearance. He left me with the strong impression that he wasn’t going to provide a lot of detail as to what exactly he did, however i had no reason to disbelieve anything he said since he seemed genuine and very matter-of-fact. Our time together was short because he had to be somewhere, but we chatted a while and he touched upon some very interesting topics that i wanted to know more about and so i suggested that we continue our conversation through encrypted email. He looked at me and responded with threes that stuck with me ever since: “Encryption is useless”.
Obviously encryption is not useless, but i think what he meant was that the government or ‘intelligence’ community or whoever, has the ability to break whatever encryption existed at that time. While i was somewhat skeptical about his statement back then in 2003 or so, that skepticism has since evaporated. First of all we have to consider the computing power that the intelligence communities have access to. Let’s assume that you’re encrypting an email using some supposedly highly secure encryption algorithm along with a very long and secure passphrase, and let’s further assume that it would take roughly 10,000 years for the average computer to break it. Would you feel confidant using such encryption? Well, what happens if that code breaking computer is 100,000 times more powerful than average? And what if you chain together 1,000 of those computers? Breaking that encryption may now be possible in a few hours or seconds. Does the government not have access to computers that are orders of magnitude more powerful than anything the general public has? And what might they have that we don’t know about?
Whether encryption is useless or not depends upon the threat that we want to mitigate i think. For example, if you wanted to download copyrighted content and protect yourself from having your ISP monitor your internet traffic and send you nasty-grams, then encryption is certainly not useless. However given what i have read and heard over the years, i strongly suspect that encryption is not effective if it is, for example, the NSA that decides to target you and i think that multiple statements and documents released by Edward Snowden verify that. There is perhaps another possibility here though. What if, as some suspect, Snowden was allowed to leak what he did, sort of as a limited hangout? Personally i think Snowden is genuine, but that doesn’t necessarily mean that the information in the documents he released wasn’t intended to be released. What if the U.S. intelligence community wanted to quell a potential uprising by we the people? It is apparently a historic fact that one way to accomplish this is to make people think they are being surveilled which, in turn, compromises their ability to communicate due to self-censorship. While i think we can be reasonably certain that everything we say or do on-line, or while in the presence of a smartphone, can be spied upon and stored indefinitely, how does one process such a vast amount of data? Snowden also raises this question and states that the massive, ongoing and patently illegal and unconstitutional data collection practices as employed by intelligence communities are not effective in preventing threats because of the massive net they cast.
In closing i would say that it doesn’t matter if the threat is real or not, or whether strong encryption can be broken or not. Since we simply cannot know for certain in all instances, we must assume the threats are creditable, however i do not wish to scare people unnecessarily. I think that activists, journalists, whistle-blowers and everyone else should never be dissuaded from communicating, however i also think we need to be aware of the threats.
Resources used to write this article
- Researchers crack the world’s toughest encryption by listening to the tiny sounds made by your computer’s CPU | ExtremeTech
- How secure is today’s encryption against quantum computers? | betanews
- Revealed: how US and UK spy agencies defeat internet privacy and security | The Guardian
- The NSA Can Beat Almost Any Type of Encryption | Gizmodo
- N.S.A. Able to Foil Basic Safeguards of Privacy on Web | The New York Times
- The Clock Is Ticking for Encryption | Computerworld
- NSA Utah Data Center – Serving Our Nation’s Intelligence Community | NSA
- Had a copyright letter from your ISP? Do tell… | The Guardian